# $OpenBSD: forcecommand.sh,v 1.7 2023/11/01 02:08:38 dtucker Exp $ # Placed in the Public Domain. tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak authorized_keys() { cmd=$1 cp /dev/null $OBJ/authorized_keys_$USER for t in ${SSH_KEYTYPES}; do test -z "$cmd" || \ printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER done } trace "test config with sftp" authorized_keys rm -f $OBJ/ssh_proxy.tmp if [ "$os" == "windows" ]; then echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S "$TEST_SHELL_PATH ${SSH}" -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ fail "sftp failed" else echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S ${SSH} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ fail "sftp failed" fi test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" rm -f $OBJ/ssh_proxy.tmp trace "forced command in key option" authorized_keys true ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option" authorized_keys false cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand true" >> $OBJ/sshd_proxy trace "forced command in sshd_config overrides key option" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config" authorized_keys cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand false" >> $OBJ/sshd_proxy trace "force command overriding subsystem" if [ "$os" == "windows" ]; then echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S "$TEST_SHELL_PATH ${SSH}" -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ fail "sftp succeeded" # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy else echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S ${SSH} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ fail "sftp succeeded" echo "Match User $USER" >>$OBJ/sshd_proxy fi echo " ForceCommand true" >> $OBJ/sshd_proxy trace "forced command with match" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match" trace "force command in match overriding subsystem" if [ "$os" == "windows" ]; then echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S "$TEST_SHELL_PATH ${SSH}" -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ fail "sftp succeeded" else echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S ${SSH} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ fail "sftp succeeded" fi trace "force command to sftpserver" grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy rm -f $OBJ/ssh_proxy.tmp if [ "$os" == "windows" ]; then echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S "$TEST_SHELL_PATH ${SSH}" -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ fail "sftp failed" else echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ ${SFTP} -S ${SSH} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ fail "sftp failed" fi test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" rm -f $OBJ/ssh_proxy.tmp